Australia plans to toughen privacy rules to force companies to notify banks faster when they experience cyber attacks, Prime Minister Anthony Albanese said on Monday, after hackers targeted the country’s second-largest telecoms firm.
Optus, owned by Singapore Telecoms Ltd (STEL.SI), said last week that home addresses, drivers’ licences and passport numbers of up to 10 million customers, or about 40% of the population, were compromised in one of Australia’s biggest data breaches.
The attacker’s IP address, or unique identifier of a computer, appeared to move between countries in Europe, the company said, but declined to detail how security was breached. Australian media reported an unidentified party had demanded $1 million in cryptocurrency for the data in an online forum but Optus has not commented on its authenticity.
Albanese called the incident “a huge wake-up call” for the corporate sector, saying there were some state actors and criminal groups who wanted to access people’s data.
“We want to make sure … that we change some of the privacy provisions there so that if people are caught up like this, the banks can be let know, so that they can protect their customers as well,” he told radio station 4BC.
Cybersecurity Minister Clare O’Neil said Optus was responsible for the breach and noted such lapses in other jurisdictions would be met with fines in the hundreds of millions of dollars, an apparent reference to European laws that penalise companies 4% of global revenue for privacy breaches.
“One significant question is whether the cyber security requirements that we place on large telecommunications providers in this country are fit for purpose,” O’Neil told parliament.
Optus said it would offer the most affected customers free credit monitoring and identity protection with credit agency Equifax Inc (EFX.N) for a year. It did not say how many customers the offer applied to.
The telco has now alerted all customers whose driving licences or passport numbers were stolen, it said in an emailed statement. Payment details and account passwords were not compromised, it added.
Australia has been looking to beef up cyber defences and pledged in 2020 to spend A$1.66 billion ($1.1 billion) over the decade to strengthen the network infrastructure of firms and homes.